This subject might just barely be a programming topic. Though, in my point of view, it is of great concern to programmers because of our responsibility to develop secure code.

Recently, there has been a lot of talk about web exploits in my country. Certain organisation keep posting passwords and databases that they hacked in the last few months. In a few days, over 200,000 login credentials have been exposed to public. Most of the site-owners didn't know anything about the attempts, up to this point.

This quote from a pressman really stuck with me:

This is no advanced attack. The method used to obtain the passwords is relatively simple.

I want to know: what are some characteristics of "advanced attacks?"

My thoughs:

Would you say brute-forcing a login service is advanced? Probably not. Kind of low-tech. Was it advanced once upon a time, when you connected auto-dialers and finally got into communication-line-in (phone) at banks and federations? Back then, maybe.

If you brute-force a login service and avoid around built-in blocking systems and logs, your attack might be considered advanced. If you successfully copy an entire database through a unsecured input form, is it advanced or not?

Is it advanced if a person (Bill?) without any IT skills at all got the database from company XY? Why? Because Bill is a HVAC Service Technician and his friend are employed on XY. Probably, it's advanced, but not really technically advanced.

If we talk about a a user that came over the connectionstring through a adminpage webpart -- Tried the connectionstring finding out there are no ip filter - okey that's hardly called hack attempt. But, if the user in first place, got access to file system (leak in a file-browser-control?) and downloaded all web.config / app.config at first place. Is it advanced? The user would, doubtless, find several sites that uses same file-browser-controls. Is it severe? Probably..

A question that, at least I, often ran into questions "are md5-hash enough secure?", the fact "yes if they need to force it, to get your data". If they got the db with login and password, some of you already know: No.

Question
It's more like a comwiki here, than a specific question. I would like to read about perspectives and experience in the topic. What do you do for "more secure"? What do you define as obvous or well-known security flaws? Such questions and discussion are valuable to give more of security and more intrusion-safe system in mind when developing.

5 Answers
5

Ultimately, an attack is an attack. It doesn't matter if they used social engineering techniques to get an unsuspecting user to divulge their credentials, brute-force methods, obtained a copy of the software and performed reverse engineering or used the system in methods other than intended, or tools to simply bring the system down and render it inoperational for a period of time.

Most attacks take some kind of sophistication and knowledge of the users of the system, how the system works, or where components reside and how to access them. You could say that any successful attack is advanced - it overcame your security measures to prevent attacks. You might also say that any attack that degrades service, even if it doesn't disable the system, is also successful as your current system couldn't withstand it.

Things that have been seen before and have been studied are, or at least should be, obvious. That's why there's a great deal of work done to study security, from building secure software to analyzing security incidents to determine how and why they happened, and then producing documentation so that other people don't fall victim to the same problems.

Basic: using off the shelf tools, scripts, exploits, etc. to compromise systems. No deeper knowledge of what you are exploiting or how. Limited to public-facing internet attacks. Commonly referred to as script kiddies.

Advanced: creating your own tools to exploit holes you have discovered and/or bought. Understanding exactly how you are overflowing those buffers. Attacking non-public targets.

That's true. Advanced for the group or individual hacker/developer. Im not sure that kind of knowledge reach the targets, which just can state the fact: they hacked and the method was simple. This is a little what I was thinking about. At what moments can security experts say that a hack was advanced or not.
–
IndependentOct 27 '11 at 15:55

SQL injection is not advanced. It's probably the reason for the loss of those 200,000 passwords you are talking about.

The problem with hacking is that truly "advanced" techniques can suddenly become "simple" if somebody writes a tool for it. A good example of this is the Metasploit tool. When people find advanced new techniques, they add them to Metasploit, which make it easy for low-skilled hackers to pull off.

Another non-advanced technique is custom viruses. It's easy to create a custom virus (from a virus toolkit) that cannot be detected by anti-virus, then send that to a target, and break in. Later, detection will be added for the virus, but by then, you'll have hacked in.

"Advanced" isn't used by the hackers themselves to describe these techniques, but by defenders. When they get hacked, they are embarrassed. They aren't willing to admit they got hacked by one of these simple techniques, so they pretend the attacks are "advanced". They also stress the "illegality" of the attacks.

Obviously there is no clear line, but there are certainly some kinds of attacks that are fairly easy and can be done casually, if the target has suitable vulnerabilities. Things like simple SQL injection, path traversal, XSS, session spoofing, etc., or just plain old sniffing on a public network. All these are easy to execute, and easy to defend against, but also very common. An off-the-shelf trojan would also qualify as 'easy'.

I'd say you can earn "advanced" badge by demonstrating large amount of effort and knowledge.

Take look at this story, which describes hacking apache.org website. It took a week and required a lot of observations of minor, security details then a lot patitience to exploit them in order to gain more control over the target system. Every step required knowledge about different aspect of operating systems and/or typical server software. Every little detail matters. For example, box running apache web server usually has a number of "httpd" processes running. That is why they have called their bindshell "httpd" and not just "bindshell" which would be way more suspicious.

Also exploiting stack overflows is considered advanced (you need to have some low level knowledge) but these days there is a lot of tools out there that automate such attempts. So, you can consider it advanced up until a script is posted on some hack site for the kids to play with.